[Samba] Unable to set ACLs with Samba 3.0.11,
near publication deadline
Thomas Boutell
boutell at boutell.com
Tue Mar 8 02:04:51 GMT 2005
Hello, Jeremy and Jerry,
I met both of you at LinuxWorld in Boston, where I learned tons and tons
of great stuff from your presentations.
I'm writing on deadline for publication and would really, really, really
like to show off Samba's ability to map NT ACLs to POSIX ACLs. But right
now, I can't make them work. I've spent some time on the Samba list
trying to make this work, but haven't received much of a response. I'm
also CC'ing David Sonenberg who has reported the same or a similar problem
in well documented emails to the samba list.
I've made the effort to pull together as much information about
my configuration as possible in the hopes that we can nail down
this bug, or user error, or whatever it turns out to be in time
to write great things about Samba's abilities in this area.
Thank you!
* * *
So, here's the configuration:
* Samba 3.0.11, from the samba.org Fedora Core 3 RPMs
* Fedora Core 3
* ext3 fs mounted with acls on, setfacls and getfacls work great
* winbind in use in nsswitch.conf
* The server is a member of a Windows 2003 Active Directory domain
The share in question looks like this on the server:
[root at ADSambaFP1 samba]# !ls
ls -l /research
total 16
-rw-r--r-- 1 AD\marketperson1 10003 33 Feb 21 21:16 research1.txt
-rw-r--r-- 1 AD\marketperson1 10003 34 Feb 21 21:16 research2.txt
I can reproduce the problem using the smbcacls tool. There's quite a bit
of debugging information included below.
At the end of this message you will also find:
* The relevant part of "getent passwd"
* The relevant part of "getent group"
If you need any further information or assistance from me to resolve this
please don't hesitate to ask.
Thank you very much!
* * *
[root at ADSambaFP1 samba]# !smbc
smbcacls //localhost/research research1.txt -a ACL:AD\\marketinggroup:ALLOWED/0/RWX -U AD\\marketperson1
added interface ip=192.168.2.211 bcast=192.168.2.255 nmask=255.255.255.0
Password:
Connecting to host=localhost
Connecting to 127.0.0.1 at port 445
Doing spnego session setup (blob length=99)
got OID=1 2 840 113554 1 2 2
got OID=1 2 840 48018 1 2 2
got OID=1 3 6 1 4 1 311 2 2 10
got principal=adsambafp1$@AD.CORP.COM
Got challenge flags:
Got NTLMSSP neg_flags=0x60890215
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x60080215
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x60080215
Connecting to host=localhost
Connecting to 127.0.0.1 at port 445
Doing spnego session setup (blob length=99)
got OID=1 2 840 113554 1 2 2
got OID=1 2 840 48018 1 2 2
got OID=1 3 6 1 4 1 311 2 2 10
got principal=adsambafp1$@AD.CORP.COM
Got challenge flags:
Got NTLMSSP neg_flags=0x60890215
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x60080215
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x60080215
lsa_io_sec_qos: length c does not match size 8
Failed to parse ACL ACL:AD\marketinggroup
* * *
getent passwd | grep marketperson1
AD\marketperson1:x:10021:10000:Marketperson1:/home/AD/marketperson1:/bin/bash
* * *
getent group | grep marketperson1
AD\marketinggroup:x:10015:AD\marketperson2,AD\marketperson1
--
Thomas Boutell
Boutell.Com, Inc.
http://www.boutell.com/
More information about the samba
mailing list